How memory-safe is IoT? Assessing the impact of memory-protection solutions for securing wireless gateways

Conference item

The rapid development of the Internet of Things (IoT) has enabled novel user-centred applications, including many in safety-critical areas such as healthcare, smart environment security, and emergency response systems. The diversity in IoT manufacturers, standards, and devices creates a combinatorial explosion of such deployment scenarios, leading to increased security and safety threats due to the difficulty of managing such heterogeneity. In almost every IoT deployment, wireless gateways are crucial for interconnecting IoT devices and providing services, yet they are vulnerable to external threats and serve as key entry points for large-scale IoT attacks. Memory-based vulnerabilities are among the most serious threats in software, with no universal solution yet available. Legacy memory protection mechanisms, such as canaries, RELRO, NX, and Fortify, have enhanced memory safety but remain insufficient for comprehensive protection. Emerging technologies like ARM-MTE, CHERI, and Rust are based on more universal and robust Secure-by-Design (SbD) memory safety principles, yet each entails different trade-offs in hardware or code modifications. Given the challenges of balancing security levels with associated overheads in IoT systems, this paper explores the impact of memory safety on the IoT domain through an empirical large-scale analysis of memory-related vulnerabilities in modern wireless gateways. Our results show that memory vulnerabilities constitute the majority of IoT gateway threats, underscoring the necessity for SbD solutions, with the choice of memory-protection technology depending on specific use cases and associated overheads.

Authors: Safronov, V; Bostan, I; Allott, N; Martin, A

• Publication status: Published
• Peer review status: Peer reviewed
• Publisher: Association for Computing Machinery
• Host title: IoT '24: Proceedings of the 14th International Conference on the Internet of Things
• Pages: 261-266
• Place of publication: New York
• Publication date: 2025-03-31
• Acceptance date: 2024-10-11
• Event title: 1st International Workshop on Internet of Things for Safety-Critical Cyber Physical Systems (IoT4safety 2024)
• Event location: Oulu, Finland
• Event website: https://sites.google.com/view/iot-4-safety/home?authuser=0
• Event start date: 2024-11-14
• Event end date: 2024-11-14
• DOI: 10.1145/3703790.3703820
• ISBN: 9798400712852
• Language: English
• Keywords: Internet of Things; memory safety; firmware analysis; security